Additional Blogs by SAP
cancel
Showing results for 
Search instead for 
Did you mean: 
frank_bannert
Active Participant

Hello GRC folks!


Today we configure BusinessObjects Access Control 5.3 SP8 Compliant User Provisioning (CUP).

What we want to do is to

  • approve requests automatically if the risk analysis found no violations
  • start a workflow with manual approval/mitigation/denial process if risk analysis found violations for the request

 Motivation is that you

  • want as little manual system interaction for your approvers as possible
  • possibly have an integrated scenario with Identity Management and a (manager) approval has already been done on the Identity Management (IdM) application side
  • only want to involve approvers, if violations arise

Big picture is that you configure

  • a workflow A with your initiator and a stage with approver determinator  "NO STAGE"
  • a workflow B for the detour with your stage(s) you want to have if violations were found
  • a detour for A which detours to B if SoD violations were found for the request
  • the parameter "Risk Analysis on request submission" to "YES"

CUP should now behave like this

  • Request comes in (manually or via web service from IdM)
  • Risk Analysis (CUP calls RAR via web service) is done and results saved in request
  • Initiator activates your workflow A
  • Detour checks if conditions are met
  • Two options
  •   ->1. No violations found, workflow A goes to stage "No Stage", approves automatically and optional does autoprovisioning
  •   ->2. Violations found, Detour conditions met, detour from A to B, request arrives at first stage configured in workflow B with all options of CUP (approval, denial, mitiagation,etc.)

Now some screenshots to visualize the configuration

  • Parameter to set (Goto->Configuration->Risk Analysis)
  • Initiator (could be any condition for your use case)
  • Stage with "No Stage" approver determinator
  • The two workflows you need
  • First workflow with no stage
  • Detour workflow if violations detected
  • Detour configuration


Hope this helps your business!

Best regards,
Frank

PS: Special thanks to the mastermind of this idea Frank Koehntopp.

1 Comment